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PROTECTION OF BOOT BLOCK DATA AND ACCURATE REPORTING OF BOOT 

BLOCK CONTENTS 



5 1. Field 

This invention relates to the field of data security. In particular, the invention 
relates to an apparatus and method for protecting information and accurately reporting this 
information within an electronic system. 

10 2. Background 

Personal computers (PCs) typically include different types of storage components 
to store programs and data. These storage components include random access memory 
(RAM), read-only memory (ROM), and memory devices that are located external to the 
PC (e.g., hard disk or a floppy disk)* To load an operating system on a PC, it is necessary 

15 to initialize or "boot" the PC by loading and executing boot code. Because the PC 

typically is unable to access external devices until after it is booted, the boot code is stored 
internally within the PC. 

Typically, a ROM component is used to store the boot code. This boot code, 
normally referred to as "boot block," is obtained from the ROM and executed. The boot 

20 block is coded to (i) locate Basic Input/Output System (BIOS), (ii) load the BIOS for 

execution, and (iii) pass control to the BIOS. In addition, current platform developments 
may now require the boot block to report each step of the boot process to a hardware 
device referred to as a "trusted platform module" (TPM). Defined by the Trusted 
Computing Platform Alliance, the TPM records the operations of the boot process for 

25 subsequent verification by a challenger that the boot process occurred as expected. This 
poses a number of disadvantages. 

For example, the boot block would now need to reliably report the steps of the boot 
process to the TPM. Thus, to ensure reliable transfer of this data, the boot block would 
likely require data processing functionality in order to perform cryptographic operations 

30 on the data before submission to the TPM. 

Additionally, this communication protocol between the boot block and the TPM 
would be trustworthy only if the boot block is unchangeable. However, this protocol is 
unable to detect modifications to information regarding the boot process originating from 
the boot block or replacement of the ROM itself 

1 
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RRTRF DESCRIPTION OF THE DRAWINGS 
The features and advantages of the present inyention will become apparent froni 
the following detailed description of the present invention in which: 
5 Figure 1 is an exemplary embodiment of a platform practicing the invention. 

Figure 2 is an exemplary embodiment of the packaged IC device employed within 
the platform of Figure 1. 

Figure 3 is an exemplary embodiment of the TPM of Figure 2. 
. Figure 4 is an exemplary embodiment of a flowchart illustrating the operations 
10 during initialization of the platform of Figure 1 . 

DESCRIPTION 

The present invention relates to an apparatus and method for protecting 
inforaiation and accurately reporting this information within an electronic system. More 

15 specifically, the invention comprises the act of binding the TPM to a boot block memory 
device. This binding, which may be physical or logically through cryptographic 
mechanisms, allows the TPM to accurately report the identity of the boot block without 
reliance on any intervening devices. 

Herein, certain details are set forth in order to provide a thorough understanding of 

20 the present invention. It is apparent to a person of ordinary skill in the art, however, that 
the present invention may be practiced through many embodiments other that those 
illustrated. Well-known circuits are not set forth in detail in order to avoid unnecessarily 
obscuring the piresent invention. 

In the following description, certain terminology is used to discuss features of the 

25 present invention. For example, a ''platform" includes any product that performs 
operations for subsequent analysis and verification of the platform's boot process. 
Examples of the platform include, but are not limited or restricted to a computer (e.g., 
desktop, a laptop, a server, a workstation, a personal digital assistant or other hand-held, 
etc.); communication equipment (e.g., wireless handset, facsimile, etc.); a television set- 

30 top box and the like. A "link" is broadly defined as one or more information-carrying 
mediums such as electrical wire, optical fiber, cable, trace, or even a wireless channel 
using infrared, radio fi-equency (RF), or any other wireless signaling mechanism. 
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In addition, the term "information" is defined as one or more bits of data, address, 
and/or control. A "software module" includes code that, when executed, performs a 
certain function. Examples of a software module include an application, an applet, or even 
a series of code instructions, possibly a subset of code from an applet, acting as a lesser 
5 sized software module. 

A "cryptographic operation" is an operation performed for additional data security. 
For example, one type of cryptographic operation involves digital signing infoimation to 
produce a digital signature. This digital signing operation may be in accordance with 
Digital Signature Algorithm (DSA). Another type of cryptographic operation involves 

10 hashing, namely a one-way conversion of information to a fixed-length representation. 
Often, this representation, referred to as a "hash value" or a "identifier", is substantially 
less in size than the original information. It is contemplated that, in some cases, a 1 :1 
conversion of the original information may be performed. 

Referring to Figure 1, an exemplary block diagram of an illustrative embodiment 

15 of a platform 100 employing the present invention is shown. The platform 100 comprises 
a processor 1 10, a memory control hub (MCH) 120, a system memory 130, an 
input/output control hub (ICH) 140, and a packaged integrated circuit (IC) device 150 
which initiates and monitors the boot process of the platform 100. The packaged IC 
device 150 features a boot block memory unit 220 and a trusted platform module 230 as 

20 described in Figure 2. 

As shown in Figure 1, the processor 1 10 represents a central processing unit of any 
type of architecture, such as complex instruction set computers (CISC), reduced 
instruction set computers (RISC), very long instruction word (VLIW), or a hybrid 
architecture. In one embodiment, the processor 1 10 is compatible with the Intel® 

25 Architecture (lA) processor, such as the IA-32 and the IA-64. Of course, in an alternative 
embodiment, the processor 1 10 may include multiple processing units coupled together 
over a common host bus 105. 

Coupled to the processor 110 via the host bus 105, the MCH 120 may be integrated 
into a chipset that provides control and configuration of memory and input/output devices 

30 such as the system memory 130 and the ICH 140. The system memory 130 stores system 
code and data. The system memory 130 is typically implemented with dynamic random 
access memory (DRAM) or static random access memory (SRAM). 
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The ICH 140 may also be integrated into a chipset together or separate from the 
MCH 120 to perform I/O functions. As shown, the IGH l40 supports communications 
with the packaged IC device 150 via link 160. Also, the ICH 140 supports 
communications with components coupled to other links such as a Peripheral Component 
5 Interconnect (PCI) bus at any selected frequency (e.g., 66 megahertz "MHz", 100 MHz, 
etc.), an Industry Standard Architecture (ISA) bus, a Universal Serial Bus (USB) or 
another bus configured with a different architecture than those briefly mentioned. 

Of course, it is contemplated that the packaged IC device 150 may be employed in 
a'different embodiment than described above. For example, the packaged IC device 150 

10 may be employed within the ICH 140. Thus, the package associated with this 

embodiment is the package that protects other integrated circuit(s) associated with the 
functionality of the ICH 1 40. 

Referring to Figure 2, an exemplary embodiment of the packaged IC device 1 50 is 
shown. The packaged IC device 150 comprises one or more integrated circuits placed 

15 within a protective package 200 such as an IC package, a cartridge covering a removable 
daughter card and the like. For this embodiment, the packaged IC device 150 comprises a 
single integrated circuit 210 featuring a boot block memory unit 220 in communication 
with a trusted platform module (TPM) 230 over a link 240. This single integrated circuit 
implementation increases the difficulty in monitoring communications between the boot 

20 block memory unit 220 and the TPM 230. Of course, although not shown, it is 

contemplated that the boot block memory unit 220 and the TPM 230 may be implemented 
as separate integrated circuits: 

As shown, the boot block memory unit 220 provides both boot services 250 during 
initialization and boot information to the TPM 230. For example, the "boot services" may 

25 include a root of trust such as a boot block code executed at the start of the initialization 
process of the platform 100 to locate, load and pass control to the BIOS for example. 
However, it is contemplated, however, that the entire BIOS may be substituted for the boot 
block code described above. The "boot information" may be an image of the boot block 
code or multiple sub-images that collectively represent the boot block code, which is used 

30 to monitor the boot process. 

Referring now to Figure 3, an exemplary embodiment of the TPM 230 of Figure 2 
is shown. The TPM 230 comprises an input/output (I/O) interface 300, a processor 310, 
and memory 320 (e.g., volatile and/or non-volatile). Herein, the processor 3 1 0 is 
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configured to access certain content within the memory 320 (e.g., software modules, 
keying material, etc.) to perform cryptographic operations on incoming mfomlation. For 
example, as the TPM extracts the boot infonnation from the boot block memory unit 2^^ 
(or even subsequent to that extraction), the processor 310 performs a hash operation on the . 
5 boot information to produce a boot identifier 330. The boot block identifier 330 is stored 
in memory 320. For one embodiment, the boot block identifier 330 is calculated for each 
start-up of the platform 100. In another embodiment, however, the boot block identifier 
330 is calculated for a first start-up and retained in non-volatile memory for subsequent 
use for later start-ups. This is a less secure, but less intensive from a processing 
10 standpoint. 

Similarly, during initialization, various software modules are provided to the TPM 
230. Examples of the modules include BIOS 340, Option ROMs such as BIOS extensions 
350, or even a OS loader 360 which is a portion of the operating system that is loaded into 
the system memory 130 to control loading of the operating system. As an option, these 

15 modules 340, 350 and 360 can undergo a hash operation to produce corresponding 
identifiers 345, 355 and 365 for later use in verification by a challenger. 

The TPM 230 fiirther responds to inquiry requests from a challenger. A 
"challenger*' may be any electronic device within the platform or even extemal to the 
platform. The "inquiry request" may be in the form of a challenge message, namely 

20 information encrypted with keying material (e.g., a public key of TPM, symmetric key, . 
etc.) accessible by the TPM 230. In response, the TPM 230 provides TPM services such 
as a digital signature featuring the boot block identifier 330, keying material, certificates 
and the like. 

Referring to Figure 4, a flowchart illustrating the operations during initialization of 
25 the platform 100 of Figure 1 is shown. Initially, the packaged IC device is directly 

attached to a substrate of a platform by soldering for example (block 400). If the packaged 
IC device is coupled to a socket, a logical binding should exist between the socket and the 
packaged IC device. During initialization, the boot block memory unit loads and records 
its boot block identifier into memory of the TPM (block 410). Next, the boot block 
30 memory unit locates and loads the BIOS for execution (block 420). The BIOS (or a 

representation thereof) is provided to the TPM and a BIOS identifier is recorded (blocks 
430 and 440). Thereafter, the BIOS loads its extensions and the OS Loader and provides 
these extensions and OS Loader (or representations thereof) to the TPM for recordation. 
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respectively (blocks 450, 460, 470 and 480). Thereafter, the BIOS passes control to the 
OS Loader (block 490). 

Thereafter, the TPM can response to inquiry requests from a challenger to 
determine that the platiform has been initialized and is trusted. The term "trusted" means 
5 that the platform should behave in an expected manner for an intended purpose. 

While this invention has been described with reference to illustrative embodiments, 
this description is not intended to be construed in a limiting sense. Various modifications 
of the illustrative embodiments, as well as other embodiments of the invention, which are 
apparent to persons skilled in the art to which the invention pertains are deemed to lie 
10 within the spirit and scope of the invention. 
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CLAIMS 

What is claimed is: . 

1 . An integrated circuit device comprising: . 
a package; 

5 a trusted platform module covered by the package; and 

a boot block memory unit in communication with the trusted platform module and 
covered by the package, the boot block memory unit to provide boot information to the 
trusted platform module. 

2. The integrated circuit device of claim 1, wherein the trusted platform 
10 module and the boot block memory unit are employed on a single integrated circuit. 

3. The integrated circuit device of claim 1, wherein the boot information . 
includes an image of a boot block code. 

4. The integrated circuit device of claim 1, wherein the trusted platform 
module includes a processor and a memory. 

15 5. The integrated circuit device of claim 4, wherein the trusted platform 

module performs a hash operation on the boot information to produce a boot block 
identifier for storage within the memory. 

6. The* integrated circuit device of claim 5, wherein the boot block memory 
unit locates a basic input/output system (BIOS) and loads the BIOS into the trusted 

20 platform module. 

7. The integrated circuit device of claim 6, wherem the trusted platform 
module performs a hash operation on the BIOS to produce a BIOS identifier for storage 
within the memory. 
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8. The. integrated circuit device of claim 4, wherein the trusted platform 
module performs a hash operation on a basic input/output system (BIOS) extension to 
produce an extension identifier for storage within the memory. 

9. The integrated circuit device of claim 4, wherein the trusted platform 

5 module performs a hash operation on an Operating System (OS) loader to produce an OS 
i4entifier for storage within the memory. 

1 0. A platform comprising: 
a processor; 

an input/output control hub coupled to the processor; and 
10 an integrated circuit device coupled to the input/output control hub, the integrated 

circuit device including 
a package, 

a trusted platform module covered by the package, and 

a boot block memory unit in communication with the trusted platform module and 
15 covered by the package, the boot block memory unit to provide boot information to the 
trusted platform module. 

1 1 . The platform of claim 1 0, wherein the trusted platform module and the boot 
block memory unit of the integrated circuit device are employed on a single integrated 
circuit. 

20 12. The platform of claim 1 0, wherein the boot information provided by the 

boot block memory unit of the integrated circuit device includes an image of a boot block 
code. 

13, The platform of claim 10, wherein the trusted platform module of the 
integrated circuit device includes an internal memory. 
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14. The platform of claim 1 3, wherein the trusted platform module of the 
integrated circuit device performs a hash operation 6n the boot information to produce a 
boot block identifier for storage within the internal memory. 

15. The platform of claim 1 4, wherein the boot block memory unit of the 

5 integrated circuit device locates a basic input/output system (BIOS) and loads the BIOS 
into the trusted platform module of the integrated circuit device. • 

16. The platform of claim 15, wherein the trusted platform module of the 
integrated circuit device performs a hash operation on the BIOS to produce a BIOS 
identifier for storage within the internal memory. 

10 1 7. The platform of claim 1 3, wherein the trusted platform module of the • 

integrated circuit device performs a hash operation on a basic input/output system (BIOS) 
extension to produce an extension identifier for storage within the internal memory. 

1 8. The platform of claim 13, wherein the trusted platform module of the 
integrated circuit device performs a hash operation on an Operating System (OS) loader to 
15 produce an OS identifier for storage within the internal memory. 



19. A method comprising: 

extracting boot information by a trusted platform module from a unit located 
within a same integrated circuit package as the trusted platform module; 

producing an identifier based on the boot information by the trusted platform 
20 module; and 

recording the identifier within memory of the trusted platform module. 

20. The method of claim 19 fiirther comprising: 
receiving an inquiry request; and 

providing the boot information in response to the inquiry request. 
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2 1 . The method of claim 1 9 further comprising: 
locating a basic input/output system (BIOS); 
providing the BIOS to the trusted platform module; 

performing a hash operation on the BIOS to produce a BIOS identifier; and 
5 storing the BIOS identifier in memory of the trusted platform module. 

22. The method of claim 21 further comprising: 
locating an operating system (OS) loader; 
providing the OS loader to the trusted platform module; 

performing a hash operation on the OS loader to produce a loader identifier; and 
10 storing the loader identifier in memory of the trusted platform module, 

23. A software module loaded in internal memory for execution by a trusted 
platform module of a platform, the software module comprising: 

code to extract boot information from a memory located within a same integrated 
circuit package as the trusted platform module; and 
15 code to produce an identifier based on the boot information and record the 

identifier within the internal memory of the trusted platform module. 

24. The software module of claim 23 further comprising: 
code to detect an inquiry request; and 

code to output the boot information from the integrated circuit package in response 
20 to the inquiry request. 

25. The software module of claim 23 further comprising: 

code to locate a basic input/output system (BIOS) and to provide the BIOS to the 

trusted platform module; 

code to perform a hash operation on the BIOS to produce a BIOS identifier; and 
25 code to store the BIOS identifier within the internal memory of the trusted platform 

module. 
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26. The software module of claim 23 further comprising: 

code to locate, an operating system (OS) loadfcr; . 

code to provide tfie OS loader to the trusted platform module; 

code to perform a hash operation on the OS loader to produce a loader identifier; 

and 

code to store the loader identifier within the internal memory of the trusted 
platform module. 
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